To just configure an AWS Config integration to analyze AWS configuration compliance, follow the procedure provided below.
To configure both an AWS CloudTrail integration to analyze CloudTrail activity for monitoring cloud account security and an AWS Config integration to analyze AWS configuration compliance, follow the procedure provided in Initial Setup of AWS CloudTrail & Config Integration.
During the initial Lacework account setup, you can choose to integrate Lacework with AWS to analyze AWS configuration compliance. Also during this initial setup, you can add a single AWS account to Lacework. After the initial setup, you can add additional accounts from the Lacework Console using a Cloud Formation template that launches the AWS console. However, integrating multiple AWS accounts using the AWS console is not efficient because each integration requires you to log in to each account with administrative privileges and ensure there are no resource conflicts when creating the CloudFormation stack. Instead, you can integrate multiple AWS accounts using an automated batch process as described in Multiple AWS Account Integration.
During integration, Lacework creates an IAM role with the least privileges. To grant Lacework permission to create this role, you must log in to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You cannot complete the integration without the required credentials.
1. Add an Account
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Select Settings > Cloud Accounts.
- Click + Create New.
- Select AWS and AWS Config for the cloud type and integration type.
- In the Name field, enter the name of the integration.
2. Choose an Integration Method
You can either enter the configuration information manually or use the Lacework Cloud Formation template.
If you are using the Cloud Formation template, you can either run or download the CloudFormation template. The download option is helpful if you need to distribute the template to different account owners. For the initial setup, Lacework recommends that you choose the Run Cloud Formation Template option.
a) Option 1: The Run Cloud Formation Template option requires fewer steps and less user interaction. For this option, disable your browser pop-up blocker.
b) Option 2: The Download Cloud Formation Template option requires more user interaction, but may be useful if you have multiple accounts with distributed ownership.
3. Click the Chosen Integration Method
a) Option 1: Click Run Cloud Formation template.
You are redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you.
After reviewing the page, click Next.
b) Option 2: Click Download Cloud Formation Template.
- Download the template locally.
- Log in to your AWS account.
- Select the CloudFormation service and click Create New Stack, which brings you to the Create stack > Select Template page.
- Upload the Lacework template and click Next.
For more information on Selecting a Stack Template, refer to the AWS Documentation library.
4. Specify Details on the Create Stack - Specify Details page.
- Create a Stack name [for example, Lacework-AWS-Config] or use the default.
- Resource name prefix is populated with the account name of the first account configured to use Lacework for AWS Config if the direct configuration method was chosen. When adding accounts, you can keep this prefix or enter a different prefix to ensure account uniqueness. If you chose to upload the template during initial installation, Resource name prefix will be empty. Enter a prefix such as an account name.
- Lacework populates ExternalID, but can be changed if you follow a defined naming policy.
After completing the above steps, click Next.
No changes are required on the Create stack - Options page. Click Next.
On the Create stack - Review page, complete the following steps:
- Check I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- Click Create.
7. CloudFormation page
After clicking Create, you are redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, Security Audit integration for a single account is complete.